CN113139195A - Data encryption method and computing device - Google Patents

Data encryption method and computing device Download PDF

Info

Publication number
CN113139195A
CN113139195A CN202110429144.9A CN202110429144A CN113139195A CN 113139195 A CN113139195 A CN 113139195A CN 202110429144 A CN202110429144 A CN 202110429144A CN 113139195 A CN113139195 A CN 113139195A
Authority
CN
China
Prior art keywords
data
encrypted
node
data block
tree structure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110429144.9A
Other languages
Chinese (zh)
Other versions
CN113139195B (en
Inventor
卢桢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Uniontech Software Technology Co Ltd
Original Assignee
Uniontech Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Uniontech Software Technology Co Ltd filed Critical Uniontech Software Technology Co Ltd
Priority to CN202110429144.9A priority Critical patent/CN113139195B/en
Publication of CN113139195A publication Critical patent/CN113139195A/en
Priority to PCT/CN2021/118419 priority patent/WO2022222350A1/en
Application granted granted Critical
Publication of CN113139195B publication Critical patent/CN113139195B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a data encryption method and computing equipment, wherein the method comprises the following steps: acquiring data to be encrypted; storing data to be encrypted in a tree structure, wherein the maximum storage capacity of each node in the tree structure is the same, and all leaf nodes except the rightmost leaf node in the tree structure store data with the maximum capacity; encrypting each node corresponding to the data to be encrypted in the tree structure through an encryption algorithm; and storing the encryption key of each node into the parent node of the node. By the method, the data to be encrypted is divided into the data blocks, the data blocks are stored in the tree structure, each node in the tree structure stores the data block or the data block pointer, and each node in the tree structure is encrypted, so that the metadata and the real data are protected, and the security of data encryption is improved. Moreover, the encryption key of each node is stored in the father node of the node, so that the decryption difficulty is high, and the security of data encryption is further improved.

Description

Data encryption method and computing device
Technical Field
The present invention relates to the field of encryption technologies, and in particular, to a data encryption method, a computing device, and a storage medium.
Background
With the continuous development of information technology, the data security of individuals and enterprises has become more and more important, and how to guarantee the data security has become a current hotspot. Under the condition that encryption technologies are continuously changed, many mature encryption software, such as EncFS, eCryptfs and the like, which are implemented based on a stacked file system, already exist, but after data is encrypted by the encryption software, an attacker can decrypt the encrypted data by a file comparison technology, so that the data is easy to crack, and therefore, the existing encryption software is low in security.
Therefore, the invention provides a data encryption method capable of improving data security.
Disclosure of Invention
To this end, the present invention provides a data encryption method in an attempt to solve or at least alleviate the above-presented problems.
According to an aspect of the present invention, there is provided a data encryption method, executed in a computing device, the method comprising the steps of:
acquiring data to be encrypted;
storing data to be encrypted in a tree structure, wherein the maximum storage capacity of each node in the tree structure is the same, and all leaf nodes except the rightmost leaf node in the tree structure store data with the maximum capacity;
encrypting each node corresponding to the data to be encrypted in the tree structure through an encryption algorithm;
and storing the encryption key of each node into the parent node of the node.
Optionally, the step of storing the data to be encrypted in a tree structure includes:
and splitting the data to be encrypted into a plurality of data blocks, and storing each data block into each node corresponding to the data to be encrypted in the tree structure.
Optionally, the step of splitting the data to be encrypted into a plurality of data blocks includes:
determining the current offset of a data pointer of data to be encrypted;
taking the determined current offset of the data pointer as an initial position, and reading data of a first preset numerical value from the data to be encrypted as a data block;
and updating the current offset of the data pointer to be the sum of the determined current offset of the data pointer and the first preset value.
Optionally, the step of reading data of a first preset value from the data to be encrypted with the determined current offset of the data pointer as a start position, as a data block, includes:
judging whether the product of the current reading times of the data to be encrypted and the first preset value is smaller than the size of the data to be encrypted, if so, reading the data of the first preset value by taking the determined current offset of the data pointer as an initial position, if not, determining the quantity of the data to be encrypted to be read as a second value by taking the determined current offset of the data pointer as the initial position, and reading the data of the second value by taking the determined current offset of the data pointer as the initial position:
L=m-(a-1)*b
wherein L is the number of the data to be encrypted, m is the memory size occupied by the data to be encrypted, a is the current times of reading the data to be encrypted, and b is a first preset value;
the read data is used as a data block.
Optionally, the step of saving each data block to each node corresponding to the data to be encrypted in the tree structure includes:
allocating a data block identifier for each data block and setting version information for each data block, wherein the data block identifier of each data block is not repeated, and the version of each data block is distinguished through the data block version information;
and judging whether the current node has a child node, if so, storing the data block identifier of the data block stored in the child node corresponding to the current node in the current node, if not, taking the allocated data block identifier and the set version information as the header file of the data block, and storing the current data block and the header file corresponding to the data block into the current node.
Optionally, the step of using the allocated data block identifier and the set version information as a header file of the data block, and saving the current data block and the header file corresponding to the data block to the current node includes:
judging whether other subtrees in the tree structure have nodes which are not filled with data or not, if not, executing a step of taking the distributed data block identifications and the set version information as header files of the data blocks and storing the current data blocks and the header files corresponding to the data blocks into the current nodes, and if so, judging whether the sum of the size of the data blocks corresponding to the read second numerical data and the size of the data blocks in the nodes which are not filled with data exceeds the maximum storage capacity of the nodes or not;
if the maximum storage capacity of the node is exceeded, executing a step of taking the distributed data block identification and the set version information as a header file of the data block and storing the current data block and the header file corresponding to the data block into the current node;
and if the maximum storage capacity of the node is not exceeded, merging the data blocks corresponding to the read second numerical data into the found node which is not filled with data.
Optionally, the step of encrypting each node corresponding to the data to be encrypted in the tree structure by using an encryption algorithm includes:
and encrypting a plurality of nodes corresponding to the data to be encrypted in the tree structure in parallel at one time through an encryption algorithm.
Optionally, the method further comprises the steps of:
responding to the operation of deleting the data blocks in the nodes corresponding to the data to be encrypted in the tree structure, and storing the data block identifications corresponding to the deleted data blocks into a deletion list;
responding to the operation of the newly added data block, judging whether the data block identification of the newly added data block exists in the deletion list, if so, not adding the newly added data block to the node corresponding to the data to be encrypted in the tree structure, and if not, adding the newly added data block to the node corresponding to the data to be encrypted in the tree structure.
Optionally, the method further comprises the steps of:
acquiring a name of data to be encrypted;
searching a father node of data to be encrypted;
creating a data block for data to be encrypted and creating a data block identifier;
encrypting a data block corresponding to the data to be encrypted by an encryption algorithm;
and adding a directory entry of the data to be encrypted in the parent node, wherein the directory entry comprises the name of the data to be encrypted, the data block identifier corresponding to the data to be encrypted and the encryption key of the data block corresponding to the data to be encrypted.
Optionally, the maximum storage capacity of the node is equal to a first predetermined value, and the first predetermined value is 512 KB.
According to an aspect of the present invention, there is provided a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the method as described above.
According to an aspect of the present invention, there is provided a readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the method as described above.
According to the technical scheme of the invention, the data encryption method is provided, the data to be encrypted is divided into a plurality of data blocks, the data blocks are stored in a tree structure, each node in the tree structure stores a data block or a data block pointer, and each node in the tree structure is encrypted, so that the protection of metadata and real data is realized, and the security of data encryption is improved. Moreover, the encryption key of each node is stored in the father node of the node, so that the decryption difficulty is high, and the security of data encryption is further improved.
The invention can also encrypt a plurality of nodes in parallel, thereby improving the efficiency of data encryption. And the data block identification and the version information of the data are stored in the node, so that an attacker can be prevented from replacing or deleting the data corresponding to the current data block identification by using the data corresponding to different data block identifications, and can also be prevented from replacing or deleting the current version data by using the data of the previous version, and the security of data encryption is improved again.
In addition, other leaf nodes except the rightmost leaf node of the tree structure applied in the invention store the data with the maximum capacity, and because other leaf nodes store the data with the maximum capacity, the number of nodes can be reduced when the data with the same size is stored, so that the occupation of storage space is reduced in the data encryption process, the system operation efficiency is improved, and the data encryption efficiency is further improved. On the basis, the data blocks to be stored of the unfilled nodes in different subtrees in the tree structure can be merged, and the waste of the storage space can be reduced under the condition of reducing the occupation of the storage space in the data encryption process.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 shows a schematic diagram of a computing device 100, according to one embodiment of the invention;
FIG. 2 shows a flow diagram of a data encryption method 200 according to one embodiment of the invention;
FIG. 3 illustrates a schematic diagram of a tree structure according to one embodiment of the invention;
FIG. 4 is a diagram illustrating a mapping table of a tree structure corresponding to data to be encrypted according to an embodiment of the present invention; and
fig. 5 shows a flowchart of a method for saving a data block to a node in a tree structure corresponding to data to be encrypted according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
With the continuous development of information technology, the data security of individuals and enterprises has become more and more important, and how to guarantee the data security has become a current hotspot. Under the condition that encryption technologies are continuously changed, many mature encryption software, such as EncFS, eCryptfs, and the like, which are implemented based on a stacked file system, have appeared, but after data is encrypted by the encryption software, file metadata cannot be protected, and the file metadata is data describing data, and mainly describes data attribute information, such as metadata of the size, number, directory structure, and the like of a file, so that the security of the existing encryption software is low.
To implement metadata encryption, it is preferable to split a file into a plurality of small files for storage, so that the basic information of the file cannot be inferred from the split small files. At present, a file is mostly split into a plurality of small files through a data mapping technology, and the data mapping technology is mostly realized based on a tree structure, and the existing tree structure comprises a binary search tree and a balanced binary search tree. The structure of the binary search tree gradually tends to be linear under the condition that the inserted data is gradually reduced, the query complexity is in direct proportion to the depth value, and when the depth of the tree is larger, the query complexity is improved. When the size of data is queried, the size of each data block needs to be read for addition, time complexity is high, time consumption is high, efficiency is low, and the tree structure does not standardize data storage of nodes of the tree structure, so that waste of storage space is easily caused.
In order to solve the above problem, the present invention defines a tree structure, which is defined as follows: the maximum storage capacity of each node in the tree structure is the same, and all leaf nodes except the rightmost leaf node in the tree structure store data with the maximum capacity. Since all leaf nodes except the rightmost leaf node store the maximum capacity of data (compared with the situation that each leaf node only stores partial data and does not store the maximum capacity of data), the number of nodes for storing data can be reduced, and therefore waste of storage space is reduced. And because the maximum capacity of the leaf node stored data is the same, when the size of the encrypted data is determined, the size of the data stored by each node does not need to be obtained and then summed, but the size of the data to be encrypted can be determined by multiplying the maximum capacity of the node by subtracting 1 from the number of the nodes and adding the data size of the rightmost leaf node, namely, the size of the encrypted data can be calculated by only accessing the data size of the rightmost leaf node, the size of the encrypted data can be determined quickly, and the time consumption is reduced.
On the basis of defining a tree structure, the invention provides a data encryption method capable of improving data security. The method stores the data to be encrypted in the defined tree structure, each node in the tree structure stores a data block or a data block pointer, and each node in the tree structure is encrypted, so that the protection of metadata and real data is realized, and the security of data encryption is improved on the premise of reducing the storage space occupation. Moreover, the encryption key of each node is stored in the father node of the node, if one data block needs to be decrypted, the decryption needs to be iterated from top to bottom, the decryption difficulty is high, and the security of data encryption is further improved.
The data encryption method provided by the present invention is performed in a computing device, and in one embodiment, FIG. 1 shows a block diagram of a computing device 100 according to one embodiment of the present invention. A block diagram of a computing device 100 As shown in FIG. 1, in a basic configuration 102, the computing device 100 typically includes a system memory 106 and one or more processors 104. A memory bus 108 may be used for communication between the processor 104 and the system memory 106.
Depending on the desired configuration, the processor 104 may be any type of processing, including but not limited to: a microprocessor (μ P), a microcontroller (μ C), a Digital Signal Processor (DSP), or any combination thereof. The processor 104 may include one or more levels of cache, such as a level one cache 110 and a level two cache 112, a processor core 114, and registers 116. The example processor core 114 may include an Arithmetic Logic Unit (ALU), a Floating Point Unit (FPU), a digital signal processing core (DSP core), or any combination thereof. The example memory controller 118 may be used with the processor 104, or in some implementations the memory controller 118 may be an internal part of the processor 104.
Depending on the desired configuration, system memory 106 may be any type of memory, including but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. System memory 106 may include an operating system 120, one or more applications 122, and program data 124. In some embodiments, application 122 may be arranged to operate with program data 124 on an operating system. Program data 124 includes instructions, and in computing device 100 according to the present invention, program data 124 contains instructions for performing program debugging method 200.
The computing device 100 also includes a storage device 132, the storage device 132 including removable storage 136 and non-removable storage 138, the removable storage 136 and the non-removable storage 138 each connected to the storage interface bus 134. In the present invention, the data related to each event occurring during the program execution process and the time information indicating the occurrence of each event may be stored in the storage device 132, and the operating system 120 is adapted to manage the storage device 132. The storage device 132 may be a magnetic disk.
Computing device 100 may also include an interface bus 140 that facilitates communication from various interface devices (e.g., output devices 142, peripheral interfaces 144, and communication devices 146) to the basic configuration 102 via the bus/interface controller 130. The example output device 142 includes a graphics processing unit 148 and an audio processing unit 150. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 152. Example peripheral interfaces 144 may include a serial interface controller 154 and a parallel interface controller 156, which may be configured to facilitate communication with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 158. An example communication device 146 may include a network controller 160, which may be arranged to facilitate communications with one or more other computing devices 162 over a network communication link via one or more communication ports 164.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media, such as carrier waves or other transport mechanisms, in a modulated data signal. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, Radio Frequency (RF), microwave, Infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
Computing device 100 may be implemented as a server, such as a file server, a database server, an application server, a WEB server, etc., or as part of a small-form factor portable (or mobile) electronic device, such as a cellular telephone, a Personal Digital Assistant (PDA), a personal media player device, a wireless WEB-watch device, a personal headset device, an application specific device, or a hybrid device that include any of the above functions. Computing device 100 may also be implemented as a personal computer including both desktop and notebook computer configurations. In some embodiments, the operating system 120 of the computing device 100 is configured to perform a data encryption method 200 in accordance with the present invention.
Fig. 2 shows a flow diagram of a data encryption method 200 according to one embodiment of the invention. The method 200 is suitable for execution in a computing device 100, such as the computing device 100 described above. As shown in fig. 2, the data encryption method 200 starts in step S210, and in step S210, obtains data to be encrypted and mounts the data to be encrypted, specifically: the method comprises the steps of obtaining data to be encrypted, creating a cache with the size equal to that of the data to be encrypted, reducing memory occupation in the data encryption process, loading the data to be encrypted to the cache, searching a father node of the data to be encrypted, creating a data block (a pointer for storing a file in the data to be encrypted) for the data to be encrypted, creating a data block identifier for the data block, encrypting a data block corresponding to the data to be encrypted through an encryption algorithm, and adding a directory entry of the data to be encrypted to the father node by taking the name of the data to be encrypted, the data block identifier of the data to be encrypted and an encryption key corresponding to the data block of the data to be encrypted as directory entries.
Subsequently, in step S220, the data to be encrypted is stored in a tree structure. Specifically, the data to be encrypted is split into a plurality of data blocks, and each data block is stored in each node corresponding to the data to be encrypted in the tree structure.
In one embodiment, the splitting of a data block is implemented as follows: determining the current offset of a data pointer of data to be encrypted, judging whether the product of the current data reading time of the data to be encrypted and a first preset value is smaller than the size of the data to be encrypted, if so, reading the data of the first preset value by taking the determined current offset of the data pointer as an initial position, otherwise, determining the quantity of the data to be encrypted to be used as a second value by taking the determined current offset of the data pointer as the initial position, and reading the data of the second value by taking the determined current offset of the data pointer as the initial position:
L=m-(a-1)*b
the method includes the steps that L is the number of data to be encrypted, m is the memory size occupied by the data to be encrypted, a is the number of times of currently reading the data to be encrypted, b is a first preset numerical value, and the first numerical value is the same as the maximum storage capacity of each node in a tree structure, namely the maximum capacity of leaf node storage data corresponding to the data to be encrypted in the tree structure is the same.
Because the maximum capacity of the leaf node storage data corresponding to the data to be encrypted in the tree structure is the same, and the leaf nodes store data blocks, when the size of the encrypted data is obtained after the data to be encrypted is stored by utilizing the tree structure, the size of the data stored in each node does not need to be obtained and then summed, but the number of the nodes is reduced by 1 and then multiplied by the maximum capacity of the node, and the size of the data to be encrypted can be determined by adding the data size of the rightmost leaf node, namely, the size of the encrypted data can be calculated by only accessing the data size of the rightmost leaf node, so that the size of the data can be quickly obtained, and the time consumption is reduced.
In one embodiment, the data to be encrypted with the size of 2GB and the encryption algorithm of AES-256-GCM are tested, and when copying and deleting corresponding data blocks with different sizes are recorded, as shown in table 1:
TABLE 1
Data block size Single block of data encryption is time consuming When copying a data block When deleting data blocks
32KB 23us 36s 17s
128KB 72us 24s 8s
256KB 130us 22s 6s
512KB 254us 21s 4s
1024MB 15643us 20s 3s
As is clear from table 1, the data block size was 21s for copy data blocks and 4s for delete data blocks at 512MB, and the data block size was reduced by 1s for copy data blocks and 2s for delete data blocks at 512MB, compared to 22s for copy data blocks and 6s for delete data blocks at 256 MB. The data block size is 20s when copying the data block and 3s when deleting the data block when 1024KB, compared with the data block size of 512MB, the data block size is reduced by 1s when copying the data block and 1s when deleting the data block when 1024MB, so that the performance gain is very small when the data block size is 1024MB, and along with the increase of the data block size, the problem of serious encryption time consumption is also caused, therefore, the first numerical value is set to 512KB, and the maximum storage capacity of each node in the tree structure is also 512 KB.
And then, taking the read data as a data block, and updating the current offset of the data pointer to be the sum of the determined current offset of the data pointer and the first preset value. And repeating the above process, namely dividing the data to be encrypted into a plurality of data blocks.
In the process of splitting data to be encrypted into a plurality of data blocks, the leaf nodes except the rightmost leaf node all store the data with the maximum capacity, and the number of the nodes can be reduced when the data with the same size is stored due to the fact that the other leaf nodes all store the data with the maximum capacity, so that the occupation of storage space is reduced in the data encryption process, the system operation efficiency is improved, and the data encryption efficiency is further improved.
After the data to be encrypted is split into a plurality of data blocks, in an embodiment, as shown in fig. 5, fig. 5 is a flowchart of a method for storing the data blocks into nodes corresponding to the data to be encrypted in a tree structure according to the present invention, where fig. 5 includes steps S510 to S570.
In step S510, a data block identifier is allocated to each data block and version information is set for each data block, where each data block identifier is unique, and the data block identifier of each data block may be a random number, a random character, a random combination of a number and a character, and the like, which is not limited in this invention, for example, 1, 2. The version information of the data block can distinguish the version of the data block, and the version information can be random numbers, random characters, random combinations of numbers and characters, and the like. By storing the data block identifiers and the version information of the data in the nodes, which is equivalent to standardizing the node format of the stored data, an attacker can be prevented from replacing or deleting the data corresponding to the current data block identifier by using the data corresponding to different data block identifiers, and can also be prevented from replacing or deleting the current version data by using the data of the previous version, so that the security of data encryption is improved.
Next, in step S520, it is determined whether the current node has a child node, if yes, step S530 is executed, the data block identifier of the data block stored in the child node corresponding to the current node is stored in the current node, if no, step S540 is executed, it is determined whether a node not filled with data exists in other subtrees in the tree structure, if no, step S550 is executed, the allocated data block identifier and the set version information are used as a header of the data block, and the current data block and the header corresponding to the data block are stored in the current node.
If there is a node not filled with data in other subtrees in the tree structure, step S560 is executed to determine whether the sum of the size of the data block corresponding to the read second numerical data and the size of the data block in the node not filled with data exceeds the maximum storage capacity of the node, if yes, step S550 is executed, and if not, step S570 is executed to merge the data block corresponding to the read second numerical data into the found node not filled with data. Because the data blocks to be stored of the unfilled nodes in different subtrees in the tree structure can be merged, the waste of the storage space can be reduced under the condition of reducing the occupation of the storage space in the data encryption process.
Then, in step S230, each node in the tree structure corresponding to the data to be encrypted is encrypted by an encryption algorithm. In one embodiment, a plurality of nodes corresponding to data to be encrypted in the tree structure are encrypted in parallel at a single time through an encryption algorithm, that is, a plurality of data blocks can be encrypted at the same time, so that the encryption efficiency is improved. The encryption algorithm includes, but is not limited to, AES-256-GCM, and twofile-256-GCM, which is not limited in this respect, and all encryption algorithms are within the protection scope of the present invention.
Taking as an example that the data to be encrypted includes a file, the file is split into three data blocks, and the size of the third data block is smaller than the maximum storage capacity of the node, the tree structure of the data to be encrypted is shown as a solid line frame part in fig. 3, and fig. 3 is a schematic diagram of the tree structure. The subtree in the solid-line box in fig. 3 includes nodes 1 to 5, where node 1 is a parent node of the tree structure, node 2 is a child node of node 1, and nodes 3 to 5 are child nodes of node 2. The node 1 is used for storing a file pointer corresponding to data to be encrypted, the node 2 stores a data block pointer obtained by splitting a file included in the data to be encrypted into three data blocks, the nodes 3 to 5 respectively store the three split data blocks, and the node 5 is not full and has a part of vacant storage space.
The tree structure is known to correspond to a mapping table, and the data to be encrypted is stored in the tree structure and then corresponds to a mapping table, for example, the tree structure shown in a solid line frame in fig. 3 is taken as an example, the corresponding mapping table is shown in fig. 4, and fig. 4 is a schematic diagram of a mapping table of the tree structure corresponding to the file to be encrypted. The data block with the data block identifier of 1 (i.e., ID:1) in fig. 4 is a data block created by the data to be encrypted, and the data block stores a file pointer of a file included in the data to be encrypted, for example, the memo. txt:2 with the data block identifier of 1 in fig. 4, where the memo. txt is a file name of a file included in the data to be encrypted, and "2" is a file pointer of the memo. txt file (a file included in the data to be encrypted). The data block with data block identification 2 (i.e. ID:2) stores a data block pointer of a file included in the data to be encrypted, which is split into three data blocks, and the data blocks with data block identifications 3 to 5 (i.e. ID:3, ID:4 and ID:5) respectively store the three split data blocks, specifically: the data block with data block identification 3 stores a first data block, the data block with data block identification 4 stores a second data block, and the data block with data block identification 5 stores a third data block. And since the third data block size is smaller than the maximum storage capacity of the node, the data block identified as 5 has a part of free storage space (the free storage space is the part enclosed by the dotted line in the data block with ID: 5).
Finally, in step S240, the encryption key of each node is saved in the parent node of the node, where the encryption key is a password for encrypting the data block and decrypting the data block.
Based on the above, the data encryption method provided by the invention divides the data to be encrypted into a plurality of data blocks, stores the data blocks in a tree structure, stores the data blocks or data block pointers in each node in the tree structure, and encrypts each node in the tree structure, thereby realizing the protection of metadata and real data and improving the security of data encryption. Moreover, the encryption key of each node is stored in the father node of the node, if one data block needs to be decrypted, the decryption needs to be iterated from top to bottom, the decryption difficulty is increased, and the security of data encryption is further improved.
After encrypting the data to be encrypted, the invention also adds a conflict check operation, and specifically comprises the following steps: responding to a data block operation of deleting a node corresponding to data to be encrypted in the tree structure, storing a data block identifier corresponding to the deleted data block into a deletion list, responding to a data block adding operation, judging whether the data block identifier of a newly added data block exists in the deletion list, if so, not adding the newly added data block into the node corresponding to the data to be encrypted in the tree structure, and if not, adding the newly added data block into the node corresponding to the data to be encrypted in the tree structure. Based on the above operation, an attacker cannot add a data block again after deleting a certain data block, so that the attacker cannot decrypt the data block by adding the data block after deleting a certain data block, thereby further improving the security of data encryption.
A9 the method of any one of A1 to A8, further comprising the steps of:
acquiring a name of data to be encrypted;
searching a father node of data to be encrypted;
creating a data block for data to be encrypted and creating a data block identifier;
encrypting a data block corresponding to the data to be encrypted by an encryption algorithm;
and adding a directory entry of the data to be encrypted in the parent node, wherein the directory entry comprises the name of the data to be encrypted, the data block identifier corresponding to the data to be encrypted and the encryption key of the data block corresponding to the data to be encrypted.
A10 the method according to any one of A3 to a9, wherein the maximum storage capacity of each node in the tree structure is equal to the first predetermined value, which is 512 KB.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U.S. disks, floppy disks, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to perform the data encryption method of the present invention according to instructions in the program code stored in the memory.
By way of example, and not limitation, readable media may comprise readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with examples of this invention. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.

Claims (10)

1. A data encryption method, executed in a computing device, the method comprising the steps of:
acquiring data to be encrypted;
storing the data to be encrypted in a tree structure, wherein the maximum storage capacity of each node in the tree structure is the same, and all leaf nodes except the rightmost leaf node in the tree structure store the data with the maximum capacity;
encrypting each node corresponding to the data to be encrypted in the tree structure through an encryption algorithm;
and storing the encryption key of each node into the parent node of the node.
2. The method of claim 1, wherein the step of storing the data to be encrypted in a tree structure comprises:
and splitting the data to be encrypted into a plurality of data blocks, and storing each data block into each node corresponding to the data to be encrypted in the tree structure.
3. The method of claim 2, wherein the splitting the data to be encrypted into a plurality of data blocks comprises:
determining the current offset of a data pointer of the data to be encrypted;
taking the determined current offset of the data pointer as an initial position, and reading data of a first preset numerical value from the data to be encrypted as a data block;
and updating the current offset of the data pointer to be the sum of the determined current offset of the data pointer and the first preset numerical value.
4. The method of claim 3, wherein the step of reading the data of the first preset value from the data to be encrypted as a data block with the determined current offset of the data pointer as a starting position comprises:
judging whether the product of the current reading times of the data to be encrypted and a first preset value is smaller than the size of the data to be encrypted, if so, reading the data of the first preset value by taking the determined current offset of the data pointer as an initial position, otherwise, determining the quantity of the data to be encrypted to be taken as a second value by taking the determined current offset of the data pointer as the initial position, and reading the data of the second value by taking the determined current offset of the data pointer as the initial position:
L=m-(a-1)*b
wherein, L is the number of reading the data to be encrypted, m is the memory size occupied by the data to be encrypted, a is the current number of reading the data to be encrypted, and b is the first preset value;
the read data is used as a data block.
5. The method of claim 4, wherein the step of saving each data block into each node in the tree structure corresponding to the data to be encrypted comprises:
allocating a data block identifier for each data block and setting version information for each data block, wherein the data block identifier of each data block is not repeated, and the version of each data block is distinguished through the data block version information;
and judging whether the current node has a child node, if so, storing the data block identifier of the data block stored in the child node corresponding to the current node in the current node, if not, taking the allocated data block identifier and the set version information as the header file of the data block, and storing the current data block and the header file corresponding to the data block into the current node.
6. The method as claimed in claim 5, wherein the step of using the allocated data block identifier and the set version information as a header file of the data block, and saving the current data block and the header file corresponding to the data block into the current node comprises:
judging whether other subtrees in the tree structure have nodes which are not filled with data or not, if not, executing a step of taking the distributed data block identifications and the set version information as header files of the data blocks and storing the current data blocks and the header files corresponding to the data blocks into the current nodes, and if so, judging whether the sum of the size of the data blocks corresponding to the read second numerical data and the size of the data blocks in the nodes which are not filled with data exceeds the maximum storage capacity of the nodes or not;
if the maximum storage capacity of the node is exceeded, executing a step of taking the distributed data block identification and the set version information as a header file of the data block and storing the current data block and the header file corresponding to the data block into the current node;
and if the maximum storage capacity of the node is not exceeded, merging the data blocks corresponding to the read second numerical data into the found node which is not filled with data.
7. The method according to any one of claims 1 to 6, wherein the step of encrypting each node corresponding to the data to be encrypted in the tree structure by an encryption algorithm comprises:
and encrypting a plurality of nodes corresponding to the data to be encrypted in the tree structure in parallel at one time through an encryption algorithm.
8. The method of any one of claims 1 to 7, further comprising the step of:
responding to the operation of deleting the data blocks in the nodes corresponding to the data to be encrypted in the tree structure, and storing the data block identifications corresponding to the deleted data blocks into a deletion list;
responding to the operation of adding a new data block, judging whether the data block identification of the new data block exists in the deletion list, if so, not adding the new data block to the node corresponding to the data to be encrypted in the tree structure, and if not, adding the new data block to the node corresponding to the data to be encrypted in the tree structure.
9. A computing device, comprising:
at least one processor; and
a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-8.
10. A readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1-8.
CN202110429144.9A 2021-04-21 2021-04-21 Data encryption method and computing device Active CN113139195B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202110429144.9A CN113139195B (en) 2021-04-21 2021-04-21 Data encryption method and computing device
PCT/CN2021/118419 WO2022222350A1 (en) 2021-04-21 2021-09-15 Method for encrypting data, and computing device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110429144.9A CN113139195B (en) 2021-04-21 2021-04-21 Data encryption method and computing device

Publications (2)

Publication Number Publication Date
CN113139195A true CN113139195A (en) 2021-07-20
CN113139195B CN113139195B (en) 2023-10-13

Family

ID=76813666

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110429144.9A Active CN113139195B (en) 2021-04-21 2021-04-21 Data encryption method and computing device

Country Status (2)

Country Link
CN (1) CN113139195B (en)
WO (1) WO2022222350A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115085900A (en) * 2022-08-22 2022-09-20 四川汉唐云分布式存储技术有限公司 Homomorphic encryption method based on distributed storage
WO2022222350A1 (en) * 2021-04-21 2022-10-27 统信软件技术有限公司 Method for encrypting data, and computing device
CN117633841A (en) * 2023-12-12 2024-03-01 上海合芯数字科技有限公司 Encryption module controller, encryption module, encryption system, and encryption processing method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105959419A (en) * 2016-07-15 2016-09-21 浪潮(北京)电子信息产业有限公司 Establishment method and system for distributed storage structure based on consensus tree
US20170104768A1 (en) * 2015-10-09 2017-04-13 Microsoft Technology Licensing, Llc Passive Encryption Of Organization Data
CN107679182A (en) * 2017-09-29 2018-02-09 华为技术有限公司 A kind of catalogue collocation method and device
CN111414635A (en) * 2020-03-20 2020-07-14 广州市百果园信息技术有限公司 File encryption and decryption method, device, equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104615692B (en) * 2015-01-23 2017-09-19 重庆邮电大学 It is a kind of to support that dynamic updates and multiple key safe ordering can search for encryption method
US11068447B2 (en) * 2017-04-14 2021-07-20 Databricks Inc. Directory level atomic commit protocol
CN113139195B (en) * 2021-04-21 2023-10-13 统信软件技术有限公司 Data encryption method and computing device
CN113094756A (en) * 2021-05-13 2021-07-09 统信软件技术有限公司 Data encryption method and computing device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170104768A1 (en) * 2015-10-09 2017-04-13 Microsoft Technology Licensing, Llc Passive Encryption Of Organization Data
CN105959419A (en) * 2016-07-15 2016-09-21 浪潮(北京)电子信息产业有限公司 Establishment method and system for distributed storage structure based on consensus tree
CN107679182A (en) * 2017-09-29 2018-02-09 华为技术有限公司 A kind of catalogue collocation method and device
CN111414635A (en) * 2020-03-20 2020-07-14 广州市百果园信息技术有限公司 File encryption and decryption method, device, equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022222350A1 (en) * 2021-04-21 2022-10-27 统信软件技术有限公司 Method for encrypting data, and computing device
CN115085900A (en) * 2022-08-22 2022-09-20 四川汉唐云分布式存储技术有限公司 Homomorphic encryption method based on distributed storage
CN115085900B (en) * 2022-08-22 2022-11-29 四川汉唐云分布式存储技术有限公司 Homomorphic encryption method based on distributed storage
CN117633841A (en) * 2023-12-12 2024-03-01 上海合芯数字科技有限公司 Encryption module controller, encryption module, encryption system, and encryption processing method

Also Published As

Publication number Publication date
CN113139195B (en) 2023-10-13
WO2022222350A1 (en) 2022-10-27

Similar Documents

Publication Publication Date Title
CN113139195B (en) Data encryption method and computing device
US20130054611A1 (en) Apparatus and method for processing partitioned data for securing content
WO2022237046A1 (en) Data encryption method and computing device
US20180285596A1 (en) System and method for managing sensitive data
US20180285376A1 (en) Method and apparatus for operating on file
CN108108633B (en) Data file and access method, device and equipment thereof
CN110110550B (en) Searchable encryption method and system supporting cloud storage
US20230153292A1 (en) Ensuring consistent metadata across computing devices
CN111507706B (en) Method, device, computer equipment and storage medium for browsing and storing data
WO2022252449A1 (en) File access control method, file encryption method, and computing device
EP3343395B1 (en) Data storage method and apparatus for mobile terminal
CN113704182B (en) Data checking method and computing device
CN113536361B (en) Method and device for realizing trusted reference library and computing equipment
CN113407999B (en) File protection method, computing device and storage medium
CN114661793A (en) Fuzzy query method and device, electronic equipment and storage medium
CN114614972A (en) Data alignment method, system, electronic device and storage medium
CN113194127B (en) Data storage method, data transmission method and computing equipment
CN112131304A (en) Novel calculation and storage architecture based on block chain technology
CN114793156B (en) Data processing method, device, equipment and storage medium
CN113792320A (en) File encryption method, file encryption access method and computing device
CN113254965B (en) Software package encryption method, computing device and storage medium
CN112711490B (en) Message processing method, computing device and storage medium
CN116827630A (en) Searchable encryption method, device, equipment and storage medium for card service information
CN117932125A (en) Verifiable space keyword query method and device supporting privacy protection
CN116185305A (en) Service data storage method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant